vs Existing tools

What no one combines — and what we learned.

Each load-bearing property exists somewhere in the OSS landscape. Runelm is the first library to combine all five into one enforced pipeline — fail-closed by default. Here is the honest read on the field.

What no one combines

Five properties. Six libraries. Zero overlap.

Each load-bearing property exists somewhere in the landscape. Runelm is the first library to combine all five into a single enforced pipeline — fail-closed by default.

PropertyRunelmNeMoGuardrails AIPresidioLLM GuardLakeraPromptGuard
Classification tiers drive routing
BLOCKED / HIGH / MEDIUM / LOW determine which provider is reachable, not just a risk score.
Four tiers, each pinned to a provider tier registry. Operators cannot override.
Deterministic, session-scoped, type-preserving pseudonyms
Acme Corp is always the same rune within a session, in a format that preserves the entity's syntactic role.
Per-session counter, AES-256-GCM-encrypted map, runic stable placeholder.
Routing enforcement keyed to classification
HIGH stays L1 local. MEDIUM allowed only on contracted L2 with DPA. LOW can reach L3 pay-per-token.
There is no --allow-l3-for-high flag. The system does not ask.
Map-bounded rehydration (anti-injection)
Only reverse placeholders the outbound substitution map created. Synthesized placeholders in the response stay masked.
Defeats placeholder-synthesis exfiltration via prompt injection.
HMAC-hashed audit without prompt text
Plain SHA-256 creates a confirmation oracle. HMAC with a server-side secret breaks it.
HMAC-SHA-256, tamper-evident store, audit-on-audit.
Fail-closed by default
Any error in classification, pseudonymization, routing, or audit blocks the request. Cleartext fallback is impossible.
The architectural invariant. Not a configuration flag.
present partial absent

The libraries, one paragraph each

  • NVIDIA NeMo Guardrails

    Apache 2.0

    Programmable input/output/dialog/retrieval rails authored in the Colang DSL.

    what it does well

    Strong on rail composition and self-check loops. The PII recognizer integrates Presidio but is bolt-on, not load-bearing.

    what it misses for a DSP

    Fail-open by default. No routing enforcement keyed to classification. Colang is one more language to learn for teams that just want a sanitization gate.

  • Guardrails AI

    Apache 2.0

    Validators composed into a Guard. RAIL spec, Pydantic-typed structured outputs, retry/reask loops.

    what it does well

    Best-in-class at structured-output validation and JSON-schema enforcement.

    what it misses for a DSP

    OnFailAction.NOOP exists and is sometimes a default — silent-continue is the wrong default for a security gate. No multi-tier routing. No deterministic session-scoped pseudonymization.

  • Microsoft Presidio

    MIT

    Pluggable PII detection plus anonymization SDK. Analyzer + Anonymizer + Image Redactor.

    what it does well

    The canonical PII detection toolkit. The Encrypt/Decrypt operator pair is the closest existing OSS primitive to reversible pseudonymization.

    what it misses for a DSP

    Not a guardrail. No gate concept, no session scope, no routing. Runelm uses Presidio underneath for NER (stage 6 of the pipeline).

  • LLM Guard (ProtectAI)

    MIT

    Fifteen input scanners + twenty output scanners. The closest existing tool to a DSP.

    what it does well

    Anonymize + Vault + Deanonymize triple is the only OSS pattern that does detect-pseudonymize-rehydrate in a single library.

    what it misses for a DSP

    Vault is process-global — cross-tenant leak waiting to happen. No map-bounded rehydration. No classification tier driving routing. No HMAC audit. Fail-soft default.

  • Lakera Guard

    Proprietary (Check Point)

    Closed SaaS firewall — single POST /v2/guard endpoint. Sub-50ms, 100+ languages.

    what it does well

    Excellent shape for an external policy API.

    what it misses for a DSP

    Cannot self-host. A non-starter for sovereignty cases (EU AI Act high-risk, classified, defense, regulated finance).

  • PromptGuard (via LiteLLM)

    Mixed

    Self-hostable AI security gateway. Three decision paths: allow / block / redact.

    what it does well

    The most fail-closed-by-config in the lineup — block_on_error=true makes failure mode explicit.

    what it misses for a DSP

    Pseudonymization is redact-only. No session-scoped map, no map-bounded rehydration, no classification-driven routing.

What we learned from

  • LLM Guard's scanner API ergonomics — (sanitized_text, is_valid, risk_score) is a clean uniform return contract.
  • Presidio's recognizer registry — pluggable add_recognizer() is the right extensibility model.
  • Presidio's Encrypt/Decrypt operator pair — AES-CBC reversibility is the right primitive.
  • NeMo's separation of detect vs decide — keep the policy DSL separate from the recognizer code.
  • PromptGuard's block_on_error=true — make it the default in Runelm.
  • Guardrails AI's standalone-server mode — proves "swap your OpenAI base_url" works as an install pattern.

What we deliberately did not copy

  • NeMo's Colang DSL — one more language, non-trivial parser. YAML + Pydantic instead.
  • LLM Guard's process-global Vault — shared mutable singleton is wrong by default. Sessions own their own map.
  • Rebuff's "100% protection not possible" framing — technically true, bad security posture as a tagline.
  • Guardrails AI's OnFailAction.NOOP — never make "silently continue" a default.
  • Per-call LLM judges as the primary classifier — GPT-5 safety classifier adds 5-11s per check. Use small local models or rule+regex for the hot path.
  • Lakera's closed-API model — self-hostable or nothing.